azure_identity 0.31.0

Rust wrappers around Microsoft Azure REST APIs - Azure identity helper crate
Documentation

Azure Identity client library for Rust

The Azure Identity library provides Microsoft Entra ID (formerly Azure Active Directory) authentication support across the Azure SDK.

Source code | Package (crates.io) | API reference documentation | Microsoft Entra ID documentation

Getting started

Install the package

Install the Azure Identity library for Rust with cargo:

cargo add azure_identity

Prerequisites

Authenticate during local development

The Azure Identity library supports authenticating through developer tools to simplify local development and debugging.

Authenticate via the Azure CLI

DeveloperToolsCredential and AzureCliCredential can authenticate as the user signed in to the Azure CLI. To log in to the Azure CLI, run az login as described in Azure CLI documentation.

Authenticate via the Azure Developer CLI

DeveloperToolsCredential and AzureDeveloperCliCredential can authenticate as the user signed in to the Azure Developer CLI. To log in to the Azure Developer CLI, run azd auth login as described in Azure Developer CLI documentation.

Key concepts

Credentials

A credential is a struct that can acquire access tokens for Azure resources. The Azure Identity library offers various credentials for use by Azure SDK service clients. See the Credential structures section for a list of this library's credentials.

Examples

Authenticate with DeveloperToolsCredential

DeveloperToolsCredential simplifies authentication while developing apps. It attempts to authenticate via a series of developer tools such as the Azure CLI, stopping when one succeeds. After receiving a token from a particular tool, it uses that tool for all subsequent token requests. See the type's reference documentation for more details.

This example demonstrates authenticating the SecretClient from the azure_security_keyvault_secrets crate using DeveloperToolsCredential.

use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_secrets::SecretClient;

let credential = DeveloperToolsCredential::new(None)?;
let client = SecretClient::new("https://TODO.vault.azure.net/", credential.clone(), None)?;

Authenticating with a Federated Identity Credential (FIC)

This example demonstrates how to authenticate an Entra application with an access token from a managed identity. See Configure an application to trust a managed identity for more information about this scenario. This example shows a Key Vault client, however the same approach can work with any Azure SDK client that uses a TokenCredential.

use azure_core::credentials::TokenCredential;
use azure_core::http::ClientMethodOptions;
use azure_identity::{ClientAssertion, ClientAssertionCredential, ManagedIdentityCredential};
use azure_security_keyvault_secrets::SecretClient;
use std::sync::Arc;

#[derive(Debug)]
struct AccessTokenAssertion {
    credential: Arc<dyn TokenCredential>,
}

#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
impl ClientAssertion for AccessTokenAssertion {
    async fn secret(&self, _: Option<ClientMethodOptions<'_>>) -> azure_core::Result<String> {
        Ok(self
            .credential
            .get_token(&[&"api://AzureADTokenExchange/.default"], None)
            .await?
            .token
            .secret()
            .to_string())
    }
}

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let assertion = AccessTokenAssertion {
        credential: ManagedIdentityCredential::new(None)?,
    };

    // this credential exchanges the managed identity's tokens for the specified Entra application's tokens
    let credential = ClientAssertionCredential::new(
        String::from("tenant ID"),
        String::from("client ID"),
        assertion,
        None,
    )?;

    let _client = SecretClient::new("https://TODO.vault.azure.net/", credential.clone(), None)?;

    Ok(())
}

Credential structures

Developer tools

Credential Usage
AzureCliCredential Authenticate with Azure CLI.
AzureDeveloperCliCredential Authenticate with Azure Developer CLI.
DeveloperToolsCredential Simplified authentication for application development.

Azure-hosted applications

Credential Usage
ManagedIdentityCredential Authenticate the managed identity of an Azure resource.
WorkloadIdentityCredential Supports Workload Identity on Kubernetes.

Service principals

See Service principal authentication for general information about service principals.

Credential Usage
AzurePipelinesCredential Authenticate an Azure Pipelines service connection.
ClientAssertionCredential Authenticate a service principal with client assertions.
ClientCertificateCredential Authenticate a service principal with a certificate.
ClientSecretCredential Authenticate a service principal with a secret.

Next steps

Client library support

Client and management libraries listed on the Azure SDK release page that support Microsoft Entra authentication accept credentials from this library. You can learn more about using these libraries in their documentation, which is available at Docs.rs.

Provide feedback

If you encounter bugs or have suggestions, open an issue.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You'll only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.